Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Weblogic 10.x logs for datasource

pandyaparth
New Member
‎08-05-2012 10:55 PM

Hi All,

I'm trying to add weblogic 10.3 log files to indexer and I'm struggling to get the timestamp parsed correctly. I'm new to Splunk so may need little bit of more step-through/concept help so please ignore my lack of understanding.

  1. I add the data via local log file. Its more for ad-hoc analysis at this point.. will get to forwarder later!
  2. I specify source type as log4j
  3. In the preview srceen the dates don't match as well as the timestamp is wrong compared to data in log messages.

My log file has data like this

<13/08/2012 12:00:14 AM EST> <[ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1344175214433> <Failed to communicate with proxy: xx.xx.xx.xxx/8080. Will try connection xx.xx.xx.xxx/8081 now.

The parsing/output in Preview looks like this
8/6/12 3:00:14.000 PM ####<13/08/2012 12:00:14 AM EST>

As you can see the parsing of the date time isn't working and I get an exclamation mark in preview complaining about 'could not use strptime to parse the timestamp...'

currently applied settings looks like this in preview page:

NO_BINARY_CHECK=1

TIME_FORMAT=%d/%m/%Y %I:%M:%S %p

TZ=Australia/Melbourne

These previous posts dont work and complains about syntax at startup time.
http://splunk-base.splunk.com/answers/8142/how-do-i-extract-useful-information-into-fields-from-orac...

Any help would be appreciated...

Thanks heaps,
Parth

0 Karma
Reply

PeterChu
Explorer
‎11-26-2014 05:20 PM

Hi,I am alse new to Splunk.
I meet the same problem with _time can't mapping with a true log time.
My solution is as below
First:
I go to WLS Server-->server-->your server name-->logging-->advanced-->Date Format Pattern
I change it from yyyy/M/d ahh'時'mm'分'ss'秒' z to yyyy/M/d HH'-'mm'-'ss'-' z

Two:
When I restart WLS Server,and I go to Splunk Sever to new a field with name log_time.
pattern like
log_time=2014/11/24 15-32-50

Now you can use log_time to search your wls_log like
host=Peter-PC log_time>"2014/11/23 11-00-00", you can get the event occur after 2014/11/23 11-00-00

I wish this can help you.

by Peter

0 Karma
Reply

PeterChu
Explorer
‎12-12-2014 01:05 AM

I find something could be better.
The same way to change date format pattern on weblogic console log config
change it to yy/M/d HH':'mm':'ss like as 14/12/12 16:52:09

Then Splunk can parse this pattern to _time default field correct.
So you can use _time to search and don't need to define a log_time field.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...